vLLM torch.load() RCE β CVE-2025-24357 PoC
WARNING: MALICIOUS FILE β SECURITY RESEARCH ONLY
Vulnerability
File: vllm/model_executor/weight_utils.py
Function: hf_model_weights_iterator()
CVE: CVE-2025-24357
Description
vLLM <= 0.7.0 uses torch.load(weights_only=False) when loading model
checkpoints from HuggingFace. This deserializes pickle payloads inside
malicious .pt/.pth files, enabling arbitrary code execution.
# Vulnerable code in vllm/model_executor/weight_utils.py
def hf_model_weights_iterator(...):
...
checkpoint = torch.load(filename, weights_only=False) # RCE here!
Impact
- Severity: High (CVSS 7.5)
- Attack Vector: Serve malicious model checkpoint β vLLM loads it β RCE
- Fix: vLLM 0.7.0+ uses
weights_only=True
Reproduction
import torch
checkpoint = torch.load("malicious_vllm_model.pt", weights_only=False)
References
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support